Opened 20 months ago

Last modified 8 months ago

#6361 enhancement new

twisted.internet.ssl.PrivateCertificate.options() is limited by allowing only authorities

Reported by: hynek Owned by:
Priority: normal Milestone:
Component: core Keywords:
Cc: hs@… Branch:
Author: Launchpad Bug:

Description

Work on #6286 unveiled that PrivateCertificate.options is (unnecessarily) greatly hampered by only allowing a list of certificate authorities.

If we allowed passing in the same arguments as into CertificateOptions, lots of code would be simpler and also more idiomatic.

Change History (3)

comment:1 Changed 20 months ago by hynek

  • Cc hs@… added
  • Summary changed from PrivateCertificate.options is limited by allowing only authorities to twisted.internet.ssl.PrivateCertificate.options() is limited by allowing only authorities

comment:2 Changed 20 months ago by glyph

I really would like to see the description for this ticket refined.

The idea behind .options() is that it's an abstract interface, that provides a sensible set of options for TLS connections.

OpenSSLCertificateOptions, by contrast, is a pile of OpenSSL-specific implementation stuff in support of that interface. In particular it takes X509 instances rather than Certificate or PrivateCertificate instances to its constructor.

Now, obviously, the interface is not complete, but as we expand it, please don't add every single option, expressed in the bizarre, demented style that OpenSSL requires, requiring application code to import constants and classes from OpenSSL themselves. It's supposed to be an abstraction layer.

comment:3 Changed 8 months ago by hynek

Okay, what are we gonna add how? :)

It’s currently useless for servers because it lacks certs/keys & DHE params and it’s useless for clients because it doesn’t support trustedRoot.

Note: See TracTickets for help on using tickets.